Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 550458 (CVE-2015-3200) - <www-servers/lighttpd-1.4.37: log injection via malformed base64 string in Authentication header (CVE-2015-3200)
Summary: <www-servers/lighttpd-1.4.37: log injection via malformed base64 string in Au...
Status: RESOLVED FIXED
Alias: CVE-2015-3200
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: B3 [noglsa cve]
Keywords:
: 604410 (view as bug list)
Depends on:
Blocks:
 
Reported: 2015-05-26 12:27 UTC by Agostino Sarubbo
Modified: 2017-01-30 13:23 UTC (History)
3 users (show)

See Also:
Package list:
=www-servers/lighttpd-1.4.42
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2015-05-26 12:27:00 UTC
From ${URL} :

When basic HTTP authentication base64 string does not contain colon character (or contains it after NULL byte - can be inserted inside base64 encoding), then that situation is logged with a string ": is missing in " and the simply decoded base64 string. This 
means that new lines, NULL byte and everything else can be encoded with base64 and are then inserted to logs as they are after decoding.

For example header "Authorization: Basic dGVzdAAKMjEwMC0wMS0wMSAwMDowMDowMDogKG1hZ2ljLmMuODU5KSBJVCdTIFRIRSBFTkQgT0YgVEhFIFdPUkxEIQ==" results in two log lines:

"
2015-05-14 12:55:54: (http_auth.c.859) : is missing in test
2100-01-01 00:00:00: (magic.c.859) IT'S THE END OF THE WORLD
"

Upstream issue:

http://redmine.lighttpd.net/issues/2646

External References:

http://jaanuskp.blogspot.com/2015/05/cve-2015-3200.html


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2015-06-14 20:36:58 UTC
CVE-2015-3200 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3200):
  mod_auth in lighttpd before 1.4.36 allows remote attackers to inject
  arbitrary log entries via a basic HTTP authentication string without a colon
  character, as demonstrated by a string containing a NULL and new line
  character.
Comment 2 Yury German Gentoo Infrastructure gentoo-dev Security 2015-09-02 13:06:00 UTC
Fixed in 1.4.36 - http://www.lighttpd.net/2015/7/26/1.4.36/
Comment 3 Yury German Gentoo Infrastructure gentoo-dev Security 2015-11-03 14:34:41 UTC
1.4.37-r1 is in the tree. Are we ready for stabilization?
Comment 4 zlg (RETIRED) gentoo-dev 2016-09-12 07:37:18 UTC
There are various bugs holding up the last few versions of lighttpd. I've spoken with upstream and they're aiming for 1.4.42 to be a more-stable release, due some time in October. Most of the existing bugs (including this one) are fixed by 1.4.40 and 1.4.41, but both have known issues. I will include a live ebuild as a temporary solution for users (and to facilitate development on lighttpd itself), but currently no newer ebuilds are suitable for stable and I think we'd be doing our users a disservice by replacing one buggy version with another.
Comment 5 zlg (RETIRED) gentoo-dev 2016-10-20 04:08:29 UTC
lighttpd-1.4.42 recently hit our git tree. I'm hoping it's solid enough for a stable candidate so we can put this bug behind us. It appears this bug has been fixed upstream for a while, but 1.4.42 is the first version since 1.4.35 so far that has a chance at meeting our stability criteria. Please test 1.4.42 and confirm this particular bug is fixed.

I'm adding the InVCS keyword so we know it's on track to stabilize.
Comment 6 Thomas Deutschmann gentoo-dev Security 2016-11-19 16:36:05 UTC
Like comment #2 said this was already fixed by upstream in v1.4.36. It hits our repository with v1.4.37 via https://gitweb.gentoo.org/repo/gentoo.git/commit/www-servers/lighttpd?id=631ae96fe8a9914dae5f67b43030dafd15e3c6e4


@ Maintainer(s): So yes, =www-servers/lighttpd-1.4.42 is a stable candidate. Can we start stabilization?
Comment 7 zlg (RETIRED) gentoo-dev 2016-11-20 10:24:37 UTC
(In reply to Thomas Deutschmann from comment #6)
> Like comment #2 said this was already fixed by upstream in v1.4.36. It hits
> our repository with v1.4.37 via
> https://gitweb.gentoo.org/repo/gentoo.git/commit/www-servers/
> lighttpd?id=631ae96fe8a9914dae5f67b43030dafd15e3c6e4
> 
> 
> @ Maintainer(s): So yes, =www-servers/lighttpd-1.4.42 is a stable candidate.
> Can we start stabilization?

Based on what I've found in Bugzilla, most open bugs are IN_PROGRESS waiting for stabilization to get properly closed. I see no open bugs for 1.4.42, so I'll get the stabilization bug started.
Comment 8 zlg (RETIRED) gentoo-dev 2016-11-20 11:08:22 UTC
My mistake; I wasn't aware we generally do stabilization inside CVE bugs. Disregard my prior comment. I recommend www-servers/lighttpd-1.4.42 for stabilization.
Comment 9 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-11-20 11:14:22 UTC
(In reply to Daniel Campbell from comment #8)
> My mistake; I wasn't aware we generally do stabilization inside CVE bugs.
> Disregard my prior comment. I recommend www-servers/lighttpd-1.4.42 for
> stabilization.

Daniel, as maintainer you can call for stable once the whiteboard has "stable?" or you have committed the new ebuild.

@arches, please stabilize:

=www-servers/lighttpd-1.4.42
Comment 10 Agostino Sarubbo gentoo-dev 2016-11-20 13:06:18 UTC
amd64 stable
Comment 11 Agostino Sarubbo gentoo-dev 2016-11-20 13:09:39 UTC
x86 stable
Comment 12 zlg (RETIRED) gentoo-dev 2017-01-02 15:44:21 UTC
*** Bug 604410 has been marked as a duplicate of this bug. ***
Comment 13 Agostino Sarubbo gentoo-dev 2017-01-15 15:51:39 UTC
ppc stable
Comment 14 Agostino Sarubbo gentoo-dev 2017-01-17 14:26:25 UTC
ia64 stable
Comment 15 Agostino Sarubbo gentoo-dev 2017-01-18 09:51:00 UTC
sparc stable
Comment 16 Agostino Sarubbo gentoo-dev 2017-01-18 10:04:08 UTC
ppc64 stable
Comment 17 Agostino Sarubbo gentoo-dev 2017-01-18 10:43:29 UTC
arm stable
Comment 18 Jeroen Roovers gentoo-dev 2017-01-20 06:18:22 UTC
Stable for HPPA.
Comment 19 Thomas Deutschmann gentoo-dev Security 2017-01-30 01:23:15 UTC
GLSA Vote: No


@ Maintainer(s): Please cleanup and drop at least <www-servers/lighttpd-1.4.37!
Comment 20 zlg (RETIRED) gentoo-dev 2017-01-30 13:12:36 UTC
commit c38a32ae672f32fc1e8d305d9f8204cc40be75a5
Author: Daniel Campbell <zlg@gentoo.org>
Date:   Mon Jan 30 05:09:43 2017 -0800

    www-servers/lighttpd: Cleanup old <1.4.42

    Package-Manager: Portage-2.3.3, Repoman-2.3.1
Comment 21 Thomas Deutschmann gentoo-dev Security 2017-01-30 13:23:54 UTC
All done, repository is clean.